tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1{
2 lib,
3 stdenv,
4 fetchurl,
5 fetchFromGitLab,
6 buildPackages,
7 pkg-config,
8 texinfo,
9 gettext,
10 libassuan,
11 libgcrypt,
12 libgpg-error,
13 libiconv,
14 libksba,
15 npth,
16 adns,
17 bzip2,
18 gnutls,
19 libusb1,
20 openldap,
21 readline,
22 sqlite,
23 zlib,
24 enableMinimal ? false,
25 withPcsc ? !enableMinimal,
26 pcsclite,
27 guiSupport ? stdenv.hostPlatform.isDarwin,
28 pinentry,
29 withTpm2Tss ? !stdenv.hostPlatform.isDarwin && !enableMinimal,
30 tpm2-tss,
31 nixosTests,
32}:
33
34assert guiSupport -> !enableMinimal;
35
36stdenv.mkDerivation rec {
37 pname = "gnupg";
38 version = "2.4.8";
39
40 src = fetchurl {
41 url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
42 hash = "sha256-tYyA15sE0yQ/9JwcP8a1+DE46zeEaJVjvN0GBZUxhhY=";
43 };
44
45 depsBuildBuild = [ buildPackages.stdenv.cc ];
46 nativeBuildInputs = [
47 # XXX: do not add autoreconfHook without very careful testing!
48 # Problems that were identified during the last attempt:
49 # • Prints a warning about being a development version not
50 # suitable for production use.
51 # • Smartcards do not work, at least without pcscd.
52
53 pkg-config
54 texinfo
55 libgpg-error
56 ];
57 buildInputs = [
58 gettext
59 libassuan
60 libgcrypt
61 libgpg-error
62 libiconv
63 libksba
64 npth
65 ]
66 ++ lib.optionals (!enableMinimal) [
67 adns
68 bzip2
69 gnutls
70 libusb1
71 openldap
72 readline
73 sqlite
74 zlib
75 ]
76 ++ lib.optionals withTpm2Tss [ tpm2-tss ];
77
78 freepgPatches = fetchFromGitLab {
79 domain = "gitlab.com";
80 owner = "freepg";
81 repo = "gnupg";
82 rev = "361c223eb00ca372fbf9506f5150ddbec193936f";
83 hash = "sha256-hRuwrB6G2vjp7Md6m+cwoi7g4GtW0sazAEN5RC+AKdg=";
84 };
85
86 patches = [
87 ./fix-libusb-include-path.patch
88 ./static.patch
89 ]
90 ++ lib.map (v: "${freepgPatches}/STABLE-BRANCH-2-4-freepg/" + v) [
91 "0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch"
92 "0003-gpg-allow-import-of-previously-known-keys-even-witho.patch"
93 "0004-tests-add-test-cases-for-import-without-uid.patch"
94 "0005-gpg-drop-import-clean-from-default-keyserver-import-.patch"
95 "0008-avoid-systemd-deprecation-warning.patch"
96 "0009-Add-systemd-support-for-keyboxd.patch"
97 "0010-Ship-sample-systemd-unit-files.patch"
98 "0011-el-gamal-default-to-3072-bits.patch"
99 "0012-gpg-default-digest-algorithm-SHA512.patch"
100 "0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch"
101 "0018-Avoid-simple-memory-dumps-via-ptrace.patch"
102 "0019-Disallow-compressed-signatures-and-certificates.patch"
103 "0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch"
104 "0021-gpg-Sync-compliance-mode-cleanup-with-master.patch"
105 "0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch"
106 "0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch"
107 "0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch"
108 "0025-gpg-gpgconf-list-report-actual-compliance-mode.patch"
109 "0026-gpg-Default-to-compliance-openpgp.patch"
110 "0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch"
111 "0029-Add-keyboxd-systemd-support.patch"
112 "0033-Support-large-RSA-keygen-in-non-batch-mode.patch"
113 "0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch"
114 ];
115
116 postPatch = ''
117 sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1
118 ''
119 + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) ''
120 sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
121 '';
122
123 env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isDarwin "-Wno-implicit-function-declaration";
124
125 configureFlags = [
126 "--sysconfdir=/etc"
127 "--with-libgpg-error-prefix=${libgpg-error.dev}"
128 "--with-libgcrypt-prefix=${libgcrypt.dev}"
129 "--with-libassuan-prefix=${libassuan.dev}"
130 "--with-ksba-prefix=${libksba.dev}"
131 "GPGRT_CONFIG=${lib.getDev libgpg-error}/bin/gpgrt-config"
132 ]
133 ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${
134 pinentry.binaryPath or "bin/pinentry"
135 }"
136 ++ lib.optional withTpm2Tss "--with-tss=intel"
137 ++ lib.optional stdenv.hostPlatform.isDarwin "--disable-ccid-driver";
138
139 postInstall =
140 if enableMinimal then
141 ''
142 rm -r $out/{libexec,sbin,share}
143 for f in $(find $out/bin -type f -not -name gpg)
144 do
145 rm $f
146 done
147 ''
148 else
149 ''
150 # add gpg2 symlink to make sure git does not break when signing commits
151 ln -s $out/bin/gpg $out/bin/gpg2
152
153 # Make libexec tools available in PATH
154 for f in $out/libexec/*; do
155 if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
156 ln -s $f $out/bin/$(basename $f)
157 done
158 '';
159
160 enableParallelBuilding = true;
161
162 passthru.tests = nixosTests.gnupg;
163
164 meta = with lib; {
165 homepage = "https://gnupg.org";
166 changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";
167 description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation";
168 license = licenses.gpl3Plus;
169 longDescription = ''
170 The GNU Privacy Guard is the GNU project's complete and free
171 implementation of the OpenPGP standard as defined by RFC4880. GnuPG
172 "modern" (2.1) is the latest development with a lot of new features.
173 GnuPG allows to encrypt and sign your data and communication, features a
174 versatile key management system as well as access modules for all kind of
175 public key directories. GnuPG, also known as GPG, is a command line tool
176 with features for easy integration with other applications. A wealth of
177 frontend applications and libraries are available. Version 2 of GnuPG
178 also provides support for S/MIME.
179 '';
180 maintainers = with maintainers; [
181 fpletz
182 sgo
183 ];
184 platforms = platforms.all;
185 mainProgram = "gpg";
186 };
187}